It is pretty clear, the $_GET method is not sanitize before to be included in the SQL request...
https://www.w3schools.com/sql/sql_injection.aspBasic rules of the security, never trust the client.
Edit : I see what you mean, the mysql_real_escape_string is far to be enough to avoid the SQL Injection, many advanced SQL injection will by pass it :
-
https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string -
http://php.net/manual/en/function.mysql-real-escape-string.phpTry the given script with sqlmap.
Using the prepared statement is the only way to go if your SQL request will contain the single input from the client
mysqli_query (mysql_query is deprecated) can be used if the request do not rely on any input from the client
Example of mysql query ok :
"UPDATE `system` SET `deposits_last_round`=NOW() WHERE `id`=1 LIMIT 1";
Example of mysql query where you can expect hell :
"SELECT `id` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"
Except the SQL injection, there is other critical vuln on this script (path traversal, remote include...)